We are planning to migrate users from our company domain (domainA) to our parent company's domain (domainB). The login IDs for the users are going to change from domainA\firstname.lastname to domainB\employee#
For now, the TFS servers will reside in domainA.
What would be the best way to migrate our TFS users and still ensure that they still maintain their current permissions?
I did find this document regarding the Identities command: https://learn.microsoft.com/en-us/vsts/tfs-server/admin/move-across-domains
thanks
If you just want to migrate accounts across domains in Active Directory and keep the TFS sever reside in domain A.
You could use TFSConfig Identities command which lists or changes the security identifier (SID) of users and groups in your deployment of TFS.
Fist of all, there should has the trust-relationship between your two domains. Then follow below steps:
Open the command line as admin and navigate to “C:Program
FilesMicrosoft Team Foundation Server 14.0Tools
“
Run the TFSConfig Identities with the right parameters such as
TFSConfig Identities /change /fromdomain:Domain1 /todomain:Domain2 /account:OldAccount /toaccount:NewAccount
Review the result
Note: Once a user account is present in TFS, it cannot be removed or have another account mapped to it. For example, if you are moving DomainA/UserA to DomainB/UserB, the Identities command would only work to migrate the user if DomainB/UserB is not already present in TFS.
More detail steps please refer this tutorial.
If you also want to move a Team Foundation Server installation from one domain to another, you need to follow the instructions exactly: Move Team Foundation Server from one environment to another
Update from OP:
To prevent migrated users from reverting back to previous account, I had to make sure that they weren't part of any domainA groups.Once removed, I ran the following:
TFSServiceControl quiesce TFSConfig Identities /change /fromdomain:OldDomainName /todomain:NewDomainName /account:OldAccountName /toaccount:NewAccountName TFSServiceControl unquiesce
I then ran a poweshell script that forced AD sync with TFS :
[Reflection.Assembly]::Load("Microsoft.TeamFoundation.Client, Version=11.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
# connect to the server
$credProvider = new-object Microsoft.TeamFoundation.Client.UICredentialsProvider $tfsConnection = new-object Microsoft.TeamFoundation.Client.TfsConfigurationServer "localhost:8080/tfs";, $credProvider $tfsConnection.EnsureAuthenticated()
# force a full sync on the next sync execution.
$tfRegistry = $tfsConnection.GetService([Microsoft.TeamFoundation.Framework.Client.ITeamFoundationRegistry]) $tfRegistry.SetValue('/Service/Integration/Settings/IdentitySyncFull', $true)
# Kick the IMS periodic job so that it syncs.
$jobIds = [Guid[]] @('544DD581-F72A-45A9-8DE0-8CD3A5F29DFE') $jobSvc = $tfsConnection.GetService([Microsoft.TeamFoundation.Framework.Client.ITeamFoundationJobService]) $jobSvc.QueueJobsNow($jobIds, $true)